>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Craig White >Sent: Monday, November 14, 2005 8:03 AM >To: fedora-list@xxxxxxxxxx >Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap)) > > >On Mon, 2005-11-14 at 07:48 -0800, Daniel B. Thurman wrote: >> >From: fedora-list-bounces@xxxxxxxxxx >> >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel >B. Thurman >> >Sent: Monday, November 14, 2005 7:28 AM >> >To: For users of Fedora Core releases (E-mail) >> >Subject: LDAP service script (/etc/init.d/ldap) >> > >> > >> > >> >Hi Folks, >> > >> >I got ldap working but I am not able to get ldaps (secure) to work. >> > >> >I ran some tests: >> > >> >Simple auth, no encryption >> >==================== >> >ldapsearch -H ldap://hostname/ -b dc=example,dc=com -x >> > >> >RESULTS: WORKS! >> > >> >Simple auth, SSL via LDAPS >> >====================== >> >ldapsearch -H ldaps://hostname/ -b dc=example,dc=com -x >> > >> >RESULTS: FAIL: ldap_bind: Can't contact LDAP server (-1) >> > >> > - Ran slapd -d -1 : See no error hints >> > - Looked in /var/log/messages - nothing >> > - netstat -a : shows listener: ldaps >> > >> >If anyone has any suggestions, please let me know! >> > >> >Also, if anyone has any really good links on getting >ldap/kerberos/ssl >> >working please let me know! >> > >> >Thanks >> >Dan >> > >> >> Sorry folks about the bad subject line. I fixed that. >> >> I wanted to add more information: >> >> openssl s_client -CAfile /etc/openldap/cacerts/ldapCA.pem >-connect ldap.cdkkt.com:636 >> CONNECTED(00000003) >> depth=1 /C=US/ST=Oregon/L=Beaverton/O=DBT And >Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx >> verify return:1 >> depth=0 /C=US/ST=Oregon/L=Beaverton/O=DBT And >Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=US/ST=Oregon/L=Beaverton/O=DBT And >Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx >> i:/C=US/ST=Oregon/L=Beaverton/O=DBT And >Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIID0zCCAzygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx >> DzANBgNVBAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJE >> QlQgQW5kIEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAu >> Y2Rra3QuY29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wHhcNMDUx >> MTEzMjM1NjA4WhcNMDYxMTEzMjM1NjA4WjCBlzELMAkGA1UEBhMCVVMxDzANBgNV >> BAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJEQlQgQW5k >> IEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAuY2Rra3Qu >> Y29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wgZ8wDQYJKoZIhvcN >> AQEBBQADgY0AMIGJAoGBAO17IIZe1fv3KGrM+bACxMPeqC+Y0ncsGM7lrAObSYTw >> QlQfsF4fDnBhPrEgyYS5BD7CV5ETyBdUmQfVcs/l5G5AjhAmMUF4POieBwJWsW/I >> hTN+nWPn1Reu6WcqpliU1Jqz5bxy17IOT93Ah/Qnrh9KNVALZ6ZoK0iRirReINIl >> AgMBAAGjggErMIIBJzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM >> IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUmpJK9I5ZX77qgL1p/RSJ >> 9I5MtQ8wgcwGA1UdIwSBxDCBwYAU65DeeNVXt8w3GKUqoF10LK1kf4ahgZ2kgZow >> gZcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xEjAQBgNVBAcTCUJlYXZl >> cnRvbjEbMBkGA1UEChMSREJUIEFuZCBBc3NvY2lhdGVzMQ0wCwYDVQQLEwRsZGFw >> MRcwFQYDVQQDEw5sZGFwLmNka2t0LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A >> Y2Rra3QuY29tggkApfBH0A0Oy+kwDQYJKoZIhvcNAQEEBQADgYEAC+Y21AFYLdVB >> psK+4IDVA2+rv8G0pGy+jO4FH+GbKGZbSzCFGPdKigpvDatCxGIndkw8LN58In92 >> 4By4U95NvYLLCjdc1DtIDMxEjTNTWwkEjKy/Nkn2vblJp8lrIrHJGimcapimr4zx >> ui4CfJBXtrV3bc2Zp20eaLRgVciv+fU= >> -----END CERTIFICATE----- >> subject=/C=US/ST=Oregon/L=Beaverton/O=DBT And >Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx >> issuer=/C=US/ST=Oregon/L=Beaverton/O=DBT And >Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1145 bytes and written 340 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 1024 bit >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES256-SHA >> Session-ID: >EEEC2E025097267E2E39E129A1130FDA7921D57F86C4D8CC94CE4D7CBF71286 >5 Session-ID-ctx: >> Master-Key: >28ACBE74CC2972246E9E1039D182643652DC2CC1F91333F68B700F22318C93C >CB881A287BEF91AC498B2068C7DFAB39F >> Key-Arg : None >> Krb5 Principal: None >> Start Time: 1131983082 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> >> ***** HANGS HERE!!!!! >> >> So, from the test it looks like there is a problem. Anyone >> care to comment??? >---- >guessing that you probably need some TLS_REQCERT type of entry in >slapd.conf and perhaps an entry in ~/.ldaprc for user stuff > >Craig > > I think there is a perhaps a problem in the way I have created ssl certificates and may not have done it properly. I would like to request instructions for creating the slapd.pem file please? I used to do this the old way and had a hard time trying to seperate the CA cert, unsigned cert/key and signed certs - so I dont know which one to use for ldap! I noticed that there has been a change from what I am used to and that there is a new location for certificates and it is at: /etc/pki/tls specifically. I tried all kinds of ways to get this to work and it appears that for some reason, the ldap programs is unable to find the certificate. I added TLS* directives in /etc/ldap.conf and in /etc/openldap/slapd.conf (why the redunancy?) and put my created certs in the /etc/openldap/cacerts directory. It appears from the ldapsearch debug output, that it will only search for certificates in /etc/pki/tls directory and in *maybe* in /etc/openldap/cacerts (see the '#' in front of that directory in the debug output. From the debug output, it is not clear as to WHAT dir/file was attempted to be opened. Here is the debug output I got: # ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x ldap_create ldap_url_parse_ext(ldaps://ldap.cdkkt.com) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ldap.cdkkt.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 216.99.218.205:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 TLS: could not load client CA list (file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:752 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754 ldap_perror ldap_bind: Can't contact LDAP server (-1) So what does it all mean? What file was attempted and why is it that my TLS* directives are seemingly ignored in both places specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf? I even copied to put my certificate in /etc/pki/tls/slapd.pem since no slapd.pem existed there and oddly enough, a slapd.pem did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created when I setup kerberos! Something is royally screwed up somewhere! Please help! Kind regards, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005
